Sucuri and nvidia.com

Hi,

i just wanted to download the latest drivers for my gfx card. As the sucuri site was open by that time in my browser i just scanned nvidia.com awaiting that everything is okay. But sucuri showed me a warning about nvidia.com instead (http://sitecheck.sucuri.net/results/www.nvidia.com).

As Im no expert i have no idea if this is a false positive. nvidia and sucuri dont respond to me, but maybe someone here can help me to find out if there was/is a real thread. I was on nvidia.com and im therefore a bit worried.

Thanks!

Hi, it appears Sucuri is detecting nvidia.ru (Russian). I’ve asked Polonus to come and help you.

Hi Ijkoy & Michael (alan1998)

From a site like this one we would expect otherwise, but the overall security situation is worse than I ever thought. :-[

Here we see errors and insecurities exposed: https://asafaweb.com/Scan?Url=www.nvidia.com%2Fpage%2Fhome.html
Custom Errors Fail can expose internal configuration details to attackers.
Excessive headers info also:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Http Only Cookie * vuln - and Clickjacking vuln warnings - misspelled domain name for malicious purposes.

As this scan is also confirming this situation: https://www.virustotal.com/nl/ip-address/184.51.126.9/information/

Well Sucuri isn’t the only scanner that detects.
Web Security Test detects this from Javascript Check
Suspicious
.location = “htxp://www.nvidia.ru/page/home.html”; } if (existingcookie==“de”) { window.location = “htxp://www.nvidia.de/page/home.html”; } if (existingcookie==“es”) { window.l…
and naturally we see traces of a hack as we check the 404 error check: Suspicious
Re: http://jsunpack.jeek.org/?report=7b3271d196e510baaef41cd789101053d0df56ee
Suspicious 404 Page:
document.write(unescape(‘%3c’)+‘!-’+‘-’) //–>

<img src="htxp://omniture.nvidia.com/b/ss/nvidiau →
Here I get a connection refused: http://jsunpack.jeek.org/?report=333d9c6562d0eff5b0402f5a869155ff96552e0e
looks here like someone launched some bitcoin vanish attack :smiley:

So Sucuri detected a suspicious domain there: if (existingcookie==“RU”) { window.location = “htxp://www.nvidia.ru/page/home.html”; } * vuln
see: http://labs.sucuri.net/db/malware/malware-entry-mwblacklisted35
so Sucuri blacklisted the site.

I would wait going there until this site has been cleansed/taken down.

polonus

I had seen the redirect. I thought that was a little bit weird. Thanks for the confirmation. I’ll go tell Lorie to add it to the block list @ my school for a little while. You’d think they keep the site not exposed like that. Such a big name being “Hacked” is not good.

Hi, Michael (alan1998)

Well with these times out I getting now, it seems they are cleansing it all up now: http://maldb.com/www.nividia.com/
Address is unreachable. Site is down for maintenance → : http://www.downforeveryoneorjustme.com/www.nividia.com

Haven’t we been there before on their forums: http://nakedsecurity.sophos.com/2012/07/13/nvidia-android-forums-hackers/
Security history teaches us all…and then you may complete that sentence yourself, please.
From not that long ago: https://nl.dolphin-emu.org/blog/2014/01/17/hacked-up-the-VSH/ link article author = MajorR

pol

Hi Polonus,

Just a heads up that in your previous post you gave analysis results to nividia.com instead of nvidia.com.

See: http://maldb.com/www.nvidia.com/

Regards,
~!Donovan

Thanks !Donovan, see how clever that misspelling plays in the hands of the malcreants going here: htxp://www.nvidia.com/page/home.html

pol

Thank you very much for your answers. Can you explain where the actual vulnerability is. All i see is a redirect to the russian nvidia site if a certain cookie exists. Was there a hack on the russian site and this redirect alarms sucuri therefore. Sorry for my curiosity :slight_smile:

Hi, Sucuri thought wXw.nvidia.com redirect to wXw.nvidia.ru was suspicious. May I ask why you don’t use Geforce Experienc to update?It’s a little simplier lol.

Edit: Broke the links :slight_smile:

So apart from the redirect theres nothing really malicious, i mean its just a redirect?

I need drivers for an old geforce card. And since i got problems after an update i want to switch to the drivers i had before :slight_smile:

I don’t know. All I see if a redirect. Polonus indicated they were cleaning the site up. Let me chevck with sucuri again. See if it comes back.

Looks like the redirect is still there.

See how it is being detected now: http://maldb.com/www.nvidia.com/#
AvastHTML:Iframe-inf
VIPREHeur.HTML.MalIFrame (v)
NormanIframer.AU
SophosMal/Iframe-V
GDataHTML:Iframe-inf
ESET-NOD32HTML/Iframe.B.Gen

see iframe malware here: http://jsunpack.jeek.org/?report=c8be58cd122643b1335b984c2d58bd3d85f0eebb
and http://analysis.hsoub.com/websites/nvidia.com

pol

It seams like nvidia.com cleaned it up. Sucuri results are now okay. Can you confirm this Polonus with all you other sources? Thanks!

Edit: Nevermind, sucuri was just unable to connect, but now lists the malware again.

I rescaned nvidia.com over the day several times, always the same.

What im wondering about is, wouldnt there be a bigger outcry if nvidia would realy deliver malware? Thats why im under the impression that this is just some kind of sloppiness by nvidia and not really malware. In addition, sucuri states that nvidia.com is malicious because of a blacklisted site which comes after a redirect (the russian site):


*Suspicious domain detected. Details: http://sucuri.net/malware/malware-entry-mwblacklisted35
	if (existingcookie=="RU") { window.location = "http://www.nvidia.ru/page/home.html"; }

When i scan http://www.nvidia.ru/page/home.html, sucuri states that everything is fine. So in fact its not really blacklisted?! I dont get it…

Hi Ijkoy,

A malcreant has inserted a small or hidden iFrame inside that legitimate website, read here: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Iframe-V/detailed-analysis.aspx
The infection was worked through either WordPress: http://www.ehow.com/info_12184030_html-iframeinf.html or another plug-in like Flash, Java en Adobe Reader and will abuse exploits when found by the automated botnet - virus found within the top 10 threats.

polonus

Thank you polonus, but do you have any explanation why nvidia is not reacting if this is in fact a real threat? I mean this is going on for days now.

I saw in another thread that avast contacts or is contacted by affected site admins. If avast detects a malicious iframe there, why hasnt this problem been solved now. To be clear i havnt visited nvidia.com myself but according to polonus maldb link, avast detects a threat on nvidia.com.

Yes,

nvidia is currently infected with a hidden iFrame. However, they may not know yet. Pol indicated that it looked like they were cleaning it up. When it’s finished, Avast! may automatically stop decteing it. If it doens’t. Then it’s up to them to contact Avast! directly.

Hi,

Home.js itself (detected by Sucuri) is not malicious.

The iframe Polonus mentioned is part of Google’s Doubleclick algorithms I believe. Also see: https://support.google.com/richmedia/answer/156581?hl=en

Attached is the result of home.js with some added comments.

Regards,
~!Donovan

Hi !Donovan,

I get a failure non-numeric port there for global.php and 1 hidden iframe blocked resources: 3773406.fls.doubleclick.net (1) which is 3773406.fls.doubleclick.net,Ghosted, get no alerts now here: http://www.nvidia.com/page/home.html
A security certificate issue: https://secure.sw.gs:419/aaw/search/doubleclick.html

polonus